Published At-24 Jun, 2026 | 22:16
Updated At-26 Jun, 2026 | 05:16
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted regardless of aud, exp, nbf, or nonce. An attacker who obtains a target user's Apple identity token (from server logs, an intercepted sign-in flow, or another application sharing the same Apple developer team) can replay it to authenticate as that user, with no expiration on the replay window. This vulnerability is fixed in 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13.
CISA Catalog
| Date Added | Due Date | Vulnerability Name | Required Action |
|---|
| N/A | | |
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
| Type | Version | Base score | Base severity | Vector |
|---|
| Secondary | 3.1 | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| | | N/A | |
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Weaknesses
| CWE ID | Type | Source |
|---|
| CWE-287 | Secondary | security-advisories@github.com |
| CWE-294 | Secondary | security-advisories@github.com |
Type: Secondary
Source: security-advisories@github.com
Type: Secondary
Source: security-advisories@github.com
Change History
0Changes found